Mirea Virus


 Virus Name:  Mirea 
 Aliases:     Mirea.1788, Lycee, Lycee-1788, Lyceum 
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; file time seconds set to "00"; file allocation errors 
 Origin:      USSR 
 Eff Length:  1,788 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, IBMAV, ChAV, 
                    NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, AVTK/N, LProt, IBMAV/N, NAV/N, 
                    NProt 
 Removal Instructions:  Delete infected programs 
 
 General Comments: 
       The Mirea, Mirea.1788, Lycee, or Lycee-1788, virus was received in 
       October, 1992.  It is from the USSR.  Mirea is a memory resident 
       infector of .COM and .EXE programs, including COMMAND.COM.  It 
       employs some stealth techniques to avoid detection and quickly 
       spreads the virus to programs on infected systems. 
 
       When the first Mirea infected program is executed, the Mirea virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 2,368 bytes.  Interrupts 08, 09, and 21 will be hooked by Mirea 
       in memory.  Also at this time, the Mirea virus will infect 
       COMMAND.COM if it was not previously infected. 
 
       Once the Mirea virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed, copied, or opened for any 
       reason.  Infected programs will have a file length increase of 
       1,788 bytes, but the file length increase will be hidden when the 
       virus is memory resident.  The Mirea virus can be found at the end 
       of infected files.  The file time in the DOS disk directory will 
       have been altered so that the seconds field is set to "00", which 
       may result in some files appearing to have a blank time.  No text 
       strings are visible in the Lycee viral code in infected programs. 
 
       Systems infected with the Mirea virus will experience file allocation 
       errors on all infected programs when the DOS CHKDSK program is 
       executed with the virus memory resident. 
 
       Known variant(s) of Mirea are: 
       Mirea.737: Received in January, 1996, this is a 737 byte variant 
           of the Mirea virus described above.  Its size in memory is 768 
           bytes, hooking interrupts 21 and 22.  It infects .COM and .EXE 
           files when they are executed or opened, but not on copy.  Infected 
           files will have a file length increase of 737 bytes with the 
           virus being located at the end of the file.  The program's date 
           and time in the DOS disk directory listing will not be altered. 
           System hangs may occur when the virus becomes memory resident. 
           This variant does not hide the file length increase on infected 
           files when memory resident. 
           Origin:  Unknown  January, 1996. 
       Mirea.925: Received in July, 1995, this is a 925 byte variant 
           of the Mirea virus described above.  Its size in memory is 944 
           bytes, hooking interrupts 08 and 21.  It infects .COM and .EXE 
           files when they are executed or opened, but not on copy.  Infected 
           files will have a file length increase of 925 bytes with the 
           virus being located at the end of the file.  This file length 
           increase will be hidden by the virus when it is memory resident. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered when the virus is memory resident, 
           though the DOS DIR command will indicate file date/times of 
           "8-21-81 12:00a" when the virus is not memory resident.  The DOS 
           CHKDSK program will indicate file allocation errors on all 
           infected files when this variant is memory resident. 
           Origin:  Unknown  July, 1995. 
       Mirea.944: A 944 byte variant of the Mirea virus, Mirea.944's 
           size in memory is 1,472 bytes, hooking interrupt 21.  Infected 
           files will have a file length increase of 944 bytes, though the 
           file length increase will be hidden when the virus is memory 
           resident.  The file's date and time in the DOS disk directory 
           listing will not be altered. 
           [Previous Name In VSUM: Lycee.944] 
           Origin:  USSR  January, 1995. 
       Mirea.1800: Received in January, 1996, this is a 1,800 byte 
           variant of the Mirea virus described above.  Its size in memory 
           is 2,384 bytes, hooking interrupts 08, 09, and 21.  It infects 
           .COM and .EXE files, including COMMAND.COM, when they are 
           executed or opened, but not on copy.  Infected files will have a 
           file length increase of 1,800 bytes with the virus being located 
           at the end of the file.  This file length increase, however, will 
           be hidden by the virus when it is memory resident.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "04".  The DOS CHKDSK program will indicate file allocation 
           errors on some, but not all, infected files when the virus is 
           memory resident. 
           Origin:  Unknown  January, 1996. 
       Mirea.1832: A 1,832 byte variant of the Mirea virus, Mirea.1832's 
           size in memory is 2,416 bytes.  It also hooks interrupts 08, 09, 
           and 21.  Infected files will have a file length increase of 1,832 
           bytes, though the file length increase will be hidden when the 
           virus is memory resident.  The seconds field in the file time in 
           the DOS disk directory listing will be set to "02".  The 
           following text string is encrypted within the viral code, and 
           hence not visible in infected programs: 
           "Welcome to Lycee of Information Technologies !" 
           [Previous Name In VSUM: Lycee-1832] 
           Origin:  USSR  October, 1992. 
       Mirea.1888: A 1,888 byte variant of the Mirea virus, Mirea.1888's 
           size in memory is 2,928 bytes.  It hooks interrupts 08, 
           09, 13 and 21.  Infected files will have a file length 
           increase of 1,888 bytes, though the file length increase 
           will be hidden when the virus is memory resident.  The 
           file date/time, including seconds field, will not be altered. 
           [Previous Name In VSUM: Lycee-1888] 
           Origin:  USSR  June, 1993. 
       Mirea.1901: A 1,901 byte variant of the Mirea virus, Mirea.1901's 
           size in memory is 2,944 bytes, hooking interrupts 08, 09, 
           13 and 21.  Infected files will have a file length 
           increase of 1,901 bytes, though the file length increase 
           will be hidden when the virus is memory resident.  The 
           file date/time, including seconds field, will not be altered. 
           [Previous Name In VSUM: Lyceum.1901] 
           Origin:  USSR  July, 1994. 
       Mirea.1975: A 1,975 byte variant of the Mirea virus, Mirea.1975's 
           size in memory is 2,576 bytes.  It also hooks interrupts 
           08, 09, and 21.  Infected files will have a file length 
           increase of 1,975 bytes, the file length increase is not 
           hidden when the virus is memory resident.  The file's 
           date and time in the DOS disk directory listing will not 
           be altered.  No text strings are visible within the viral 
           code.  Some anti-viral programs may detect this variant 
           as the "Feist" virus. 
           [Previous Name In VSUM: Lycee-1975] 
           Origin:  USSR  December, 1992.

Show viruses from discovered during that infect .

Main Page